A Member of the Microsoft
Security Development Lifecycle (SDL) Pro Network
Casaba is a Microsoft-recommended provider of software security services
Casaba has been providing software security consulting since 2002 and we’re happy to be a part of Microsoft’s SDL Pro Network. The SDL Pro Network consists of security consultants, training companies, and tool providers who specialize in application security and training, and who have demonstrated substantial experience in the methodologies and technologies which make up the Microsoft SDL. This relationship with the Microsoft SDL Pro Network will foster Casaba’s commitment to providing top-quality SDL services to our clients.
What is SDL?
The Microsoft Security Development Lifecycle (SDL) provides a model for building and releasing robust and secure products. The SDL approach can be applicable to hardware and embedded systems just as it can to business systems and operating system software. The benefits of investing in an SDL process include lower cost over time, and lowered risk to your product and its consumers. For more information about the Microsoft SDL process, visit the Microsoft SDL Portal at http://www.microsoft.com/sdl.
The following image captures the seven phases of the Microsoft SDL process version.
How can Casaba help?
Casaba can assist your business in SDL process implementation, guidance, and requirements.
- Creating an SDL process
- Enhancing an SDL process
- Meeting SDL requirements for your product
The components and process involved in the Microsoft SDL have been a natural part of Casaba’s methodology. We’ve worked with small and large organizations through every phase of this model to provide services that meet each requirement.
Creating or Enhancing an SDL Process
Casaba can work closely with your management and technical teams to understand your business and engineering operations. By understanding your business goals and development processes, an SDL process can be custom tailored to meet your needs at this point in time. Future goals and a roadmap can be established to bring more of the SDL into your business culture and process.
Changing a company culture to adopt an SDL-like process can be a challenge. Knowledge and awareness help people to understand the benefits of building more robust and secure software through SDL. Casaba can provide small training or ‘brown-bag’ sessions to educate staff on why SDL matters in your business.
Casaba can leverage the Microsoft SDL Optimization Model (http://msdn.microsoft.com/en-us/security/sdl-model-optimization.aspx) to first assess the maturity level of your current development organization. You may belong in one of four levels as depicted in the following image. We can then work to help your organization move up in these levels by implementing or improving each of the following capability areas
Enhancing an SDL Process
If your company already has some form of an SDL in place, you may want it reviewed and enhanced. Casaba can perform a gap-analysis between your process approach and the Microsoft SDL benchmark. By understanding the gaps you will gain a clearer picture of what parts are missing for you. We can then work with you to prioritize your needs for implementing any missing pieces in a way that makes sense for your business.
Meeting Security Development Requirements
Your company may already have an SDL or similar process in place and working satisfactorily for you. Casaba can assist in doing the work of any phase of the SDL, described more in the following outline:
SDL training can start from the basics of understanding SDL, to the more advanced concepts of secure coding and security testing. Casaba can work with you to make sure you get appropriate SDL training.
Casaba can review and enhance your current set of specifications to ensure they prepare your product for a successful and secure launch.
Casaba can review your product to provide you a documented attack surface analysis and threat model. For example, we can review your cryptographic choices to ensure they are strong enough for your product scenarios. We can also review the ideas, logic, and proposed interfaces of your product to identify ways which they might be attacked.
Secure coding is critical to building secure software. During this phase we can work with you to perform static code analysis of your product. We can also work with your build team to integrate static analysis into your nightly or weekly build system, ensuring developers get notified of security defects throughout the development stage, rather than all at once.
Security testing is specialized form of Quality Assurance that requires expertise with a certain set of tools and processes. Our security consultants know the threats to software and hardware, we’ve written books on finding security bugs. Your products inputs may require fuzzing and verification that threats have been properly mitigated. When you put us to work, we’ll turn over every stone to find the showstopper bugs, or if you are more fortunate, to verify that your product is secure.
Prior to releasing your product a response plan is required which includes instruction for how security incidents will be handled and escalated. Casaba can work with you to define this plan, and to perform the Final Security Review that SDL requires. The FSR is a time to review all of your past achievements in the SDL process, and ensure that nothing was missed or punted.
If you do have a security incident after release, you can call on Casaba to help. We can assist in identifying an exploited vulnerability and understanding the scope of its affect. We can also assist in defining and implementing the design or code-level changes required to mitigate the vulnerability.